From c4092d26696fddaa1e1c29800c6ca7ef4c6b058f Mon Sep 17 00:00:00 2001
From: "wirth.marcel" <wirth.marcel@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Wed, 9 Apr 2008 11:51:04 +0000
Subject: [PATCH] Session Fixation
git-svn-id: http://webgoat.googlecode.com/svn/trunk@306 4033779f-a91e-0410-96ef-6bf7bf53c507
---
.../webgoat/lessons/SessionFixation.java | 825 ++++++++++++------
1 file changed, 561 insertions(+), 264 deletions(-)
diff --git a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
index db69846ca..77510a4e8 100644
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
@@ -1,31 +1,76 @@
package org.owasp.webgoat.lessons;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.List;
+import java.util.Random;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.A;
import org.apache.ecs.html.B;
+import org.apache.ecs.html.Div;
+import org.apache.ecs.html.Form;
+import org.apache.ecs.html.H2;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea;
+import org.apache.ecs.xhtml.style;
+import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ *
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Reto Lippuner, Marcel Wirth
+ * @created April 8, 2008
+ */
+
public class SessionFixation extends SequentialLessonAdapter
{
- private String LoggedInUser = "";
-
private final String mailTo = "jane.plane@owasp.org";
private final String mailFrom = "admin@webgoatfinancial.com";
private final String mailTitel = "Check your account";
- private final String MAILCONTENTNAME = "mailname";
+ private final String MAILCONTENTNAME = "mailContent";
private final static String USER = "user";
private final static String PASSWORD = "pass";
+ private final static String LOGGEDIN = "loggedin";
+ private final static String LOGGEDINUSER = "loggedInUser";
+ private final static Random random = new Random(System.currentTimeMillis());
+ private String sid = "";
/**
* Creates Staged WebContent
@@ -34,6 +79,76 @@ public class SessionFixation extends SequentialLessonAdapter
*/
protected Element createContent(WebSession s)
{
+ String sid = s.getParser().getStringParameter("SID","");
+ if (!sid.equals(""))
+ {
+ this.sid = sid;
+ }
+ if(!s.getParser().getStringParameter("Restart", "").equals(""))
+ {
+ s.add(LOGGEDIN, "false");
+ s.add("SID","");
+ this.sid = "";
+ }
+ if (getLessonTracker(s).getStage() == 3)
+ {
+ s.add("SID", sid);
+ if (!sid.equals(""))
+ {
+ s.add("SID", sid);
+ }
+ else
+ {
+ String randomSid = randomSIDGenerator();
+ s.add("SID", randomSid);
+ this.sid = randomSid;
+ System.out.println("RANDOMSID " + randomSid);
+ }
+
+ String name = s.getParser().getStringParameter(USER, "");
+ String password = s.getParser().getStringParameter(PASSWORD, "");
+ if(correctLogin(name, password, s))
+ {
+ getLessonTracker(s).setStage(4);
+ s.setMessage("You completed stage 3!");
+ }
+
+ }
+ if(getLessonTracker(s).getStage() == 4)
+ {
+ if (sid.equals(""))
+ {
+ String randomSid = randomSIDGenerator();
+ this.sid = randomSid;
+ }
+ }
+
+ if (getLessonTracker(s).getStage() == 2)
+ {
+ if (!sid.equals(""))
+ {
+ System.out.println("MySid: " + sid);
+ s.add("SID", sid);
+ getLessonTracker(s).setStage(3);
+ s.setMessage("You completed stage 2!");
+ }
+ else
+ {
+ createStage2Content(s);
+ }
+ }
+
+ String mailContent = s.getParser().getRawParameter(MAILCONTENTNAME, "");
+ if (!mailContent.equals(""))
+ {
+ s.add(MAILCONTENTNAME, mailContent);
+ }
+ if (mailContent.contains(getLink()+"&SID=") && getLessonTracker(s).getStage() == 1)
+ {
+ getLessonTracker(s).setStage(2);
+ s.setMessage("You completed stage 1!");
+ }
+
return super.createStagedContent(s);
}
@@ -44,30 +159,79 @@ public class SessionFixation extends SequentialLessonAdapter
*/
protected ElementContainer doStage1(WebSession s)
{
+
ElementContainer ec = new ElementContainer();
- String mailContent = s.getParser().getStringParameter(MAILCONTENTNAME, "");
- if (mailContent.contains("SSID"))
- {
-
- // ec.addElement(mailContent);
- return ec;
- }
-
ec.addElement(createStage1Content(s));
return ec;
}
+
+ @Override
+ public String getHint(WebSession s, int hintNumber)
+ {
+ // TODO Auto-generated method stub
+ return super.getHint(s, hintNumber);
+ }
+
+ @Override
+ protected Element doStage2(WebSession s) throws Exception
+ {
+ ElementContainer ec = new ElementContainer();
+ ec.addElement(createStage2Content(s));
+ return ec;
+ }
+
+ private Element createStage2Content(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+
+ String mailContent = (String) s.get(MAILCONTENTNAME);
+
+ ec.addElement(mailContent);
+
+ return ec;
+
+ }
+
+ @Override
+ protected Element doStage3(WebSession s) throws Exception
+ {
+ return createStage3Content(s);
+ }
+
+ @Override
+ protected Element doStage4(WebSession s) throws Exception
+ {
+ return createStage4Content(s);
+ }
+
+ private Element createStage3Content(WebSession s)
+ {
+
+ return createMainLoginContent(s);
+ }
+
+ private Element createStage4Content(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+ ec.addElement("Hello Hacker");
+ return ec;
+ //return createMainLoginContent(s);
+ }
private Element createStage1Content(WebSession s)
{
String link = getLink();
- String mailText = "Dear MS. Plane <br><br>" + "During the last week we had a few problems with our servers. "
+ String mailText = "<b>Dear MS. Plane</b> <br><br>"
+ + "During the last week we had a few problems with our database. "
+ "A lot of people complained that there account details are wrong. "
+ "That is why we kindly ask you to use following link to verify your "
- + "data:<br><br><center><a href=" + link + "&XXXX=YYYYYYYY> WebGoat Financial</a></center><br><br>"
+ + "data:<br><br><center><a href="
+ + link
+ + "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>"
- + "Your WebGoat Financial Team";
+ + "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
ElementContainer ec = new ElementContainer();
Table table = new Table();
@@ -128,8 +292,8 @@ public class SessionFixation extends SequentialLessonAdapter
td6.addElement(titleField);
TextArea mailContent = new TextArea();
- mailContent.addAttribute("cols", 50);
- mailContent.addAttribute("rows", 10);
+ mailContent.addAttribute("cols", 60);
+ mailContent.addAttribute("rows", 9);
mailContent.addElement(mailText);
mailContent.setName(MAILCONTENTNAME);
td7.addElement(mailContent);
@@ -145,262 +309,332 @@ public class SessionFixation extends SequentialLessonAdapter
* @param s
* @return Element
*/
- protected Element createMainContent(WebSession s)
+ protected Element createMainLoginContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
+ try
+ {
+ style sty = new style();
- // try
- // {
- //
- //
- // style sty = new style();
- //
- // sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header
- // {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:
- // 490px;padding-right: 10px;padding-top: 60px;background-repeat:
- // no-repeat;}.lesson_workspace {background-image:
- // url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height:
- // 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} .lesson_text
- // {height: 240px;width: 460px;padding-top: 5px;} #lesson_buttons_bottom {height:
- // 20px;width: 460px;} #lesson_b_b_left {width: 300px;float: left;} #lesson_b_b_right input
- // {width: 100px;float: right;} .lesson_title_box {height: 20px;width: 420px;padding-left:
- // 30px;} .lesson_workspace { } .lesson_txt_10 {font-family: Arial, Helvetica,
- // sans-serif;font-size: 10px;} .lesson_text_db {color: #0066FF} #lesson_login
- // {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height:
- // 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left:
- // 80px;margin-top: 50px;text-align: center;} #lesson_login_txt {font-family: Arial,
- // Helvetica, sans-serif;font-size: 12px;text-align: center;} #lesson_search
- // {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height:
- // 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left:
- // 80px;margin-top: 50px;text-align: center;}");
- // ec.addElement(sty);
- //
- // Div wrapperDiv = new Div();
- // wrapperDiv.setID("lesson_wrapper");
- //
- // Div headerDiv = new Div();
- // headerDiv.setID("lesson_header");
- //
- // Div workspaceDiv = new Div();
- // workspaceDiv.setClass("lesson_workspace");
- //
- // wrapperDiv.addElement(headerDiv);
- // wrapperDiv.addElement(workspaceDiv);
- //
- // ec.addElement(wrapperDiv);
- //
- // workspaceDiv.addElement(createWorkspaceContent(s));
- //
- // } catch (Exception e)
- // {
- // s.setMessage("Error generating " + this.getClass().getName());
- // e.printStackTrace();
- // }
+ sty
+ .addElement("#lesson_wrapper {height: 435px;width: "
+ + "500px;}#lesson_header {background-image: "
+ + "url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:"
+ + " 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace "
+ + "{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: "
+ + "325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} "
+ + ".lesson_text {height: 240px;width: 460px;padding-top: 5px;} "
+ + "#lesson_buttons_bottom {height: 20px;width: 460px;} "
+ + "#lesson_b_b_left {width: 300px;float: left;} "
+ + "#lesson_b_b_right input {width: 100px;float: right;} "
+ + ".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} "
+ + ".lesson_workspace { } "
+ + ".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} "
+ + ".lesson_text_db {color: #0066FF} "
+ + "#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: "
+ + "124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:"
+ + " 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: "
+ + "12px;text-align: center;} #lesson_search {background-image: "
+ + "url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: "
+ + "no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
+ ec.addElement(sty);
+
+ Div wrapperDiv = new Div();
+ wrapperDiv.setID("lesson_wrapper");
+
+ Div headerDiv = new Div();
+ headerDiv.setID("lesson_header");
+
+ Div workspaceDiv = new Div();
+ workspaceDiv.setClass("lesson_workspace");
+
+ wrapperDiv.addElement(headerDiv);
+ wrapperDiv.addElement(workspaceDiv);
+
+ ec.addElement(wrapperDiv);
+
+ workspaceDiv.addElement(createWorkspaceContent(s));
+
+ } catch (Exception e)
+ {
+ s.setMessage("Error generating " + this.getClass().getName());
+ e.printStackTrace();
+ }
return (ec);
+
}
- // /**
- // * Creation of the content of the workspace
- // * @param s
- // * @return Element
- // */
- // private Element createWorkspaceContent(WebSession s)
- // {
- //
- //
- // ElementContainer ec = new ElementContainer();
- //
- // return ec;
- // }
+ /**
+ * Creation of the content of the workspace
+ *
+ * @param s
+ * @return Element
+ */
+ private Element createWorkspaceContent(WebSession s)
+ {
+ ElementContainer ec = new ElementContainer();
+ String name = s.getParser().getStringParameter(USER, "");
+ String password = s.getParser().getStringParameter(PASSWORD, "");
+
+ try
+ {
+ // Logout Button is pressed
+ if (s.getParser().getRawParameter("logout", "").equals("true"))
+ {
+ s.add(LOGGEDIN, "false");
+ s.add("SID","");
+ this.sid = "";
- // /**
- // * Create content for logging in
- // * @param ec
- // */
- // private void createLogInContent(ElementContainer ec, String errorMessage) {
- // Div loginDiv = new Div();
- // loginDiv.setID("lesson_login");
- //
- // Table table = new Table();
- // //table.setStyle(tableStyle);
- // table.addAttribute("align='center'", 0);
- // TR tr1 = new TR();
- // TD td1 = new TD();
- // TD td2 = new TD();
- // td1.addElement(new StringElement("Enter your name: "));
- // td2.addElement(new Input(Input.TEXT, USER));
- // tr1.addElement(td1);
- // tr1.addElement(td2);
- //
- // TR tr2 = new TR();
- // TD td3 = new TD();
- // TD td4 = new TD();
- // td3.addElement(new StringElement("Enter your password: "));
- // td4.addElement(new Input(Input.PASSWORD, PASSWORD));
- // tr2.addElement(td3);
- // tr2.addElement(td4);
- //
- //
- // TR tr3 = new TR();
- // TD td5 = new TD();
- // td5.setColSpan(2);
- // td5.setAlign("center");
- //
- // td5.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
- // tr3.addElement(td5);
- //
- // table.addElement(tr1);
- // table.addElement(tr2);
- // table.addElement(tr3);
- // loginDiv.addElement(table);
- // ec.addElement(loginDiv);
- //
- // H2 errorTag = new H2(errorMessage);
- // errorTag.addAttribute("align", "center");
- // errorTag.addAttribute("class", "info");
- // ec.addElement(errorTag);
- //
- //
- // }
+ }
+ if (correctLogin(name, password, s))
+ {
+ s.add(LOGGEDINUSER, name);
+ s.add(LOGGEDIN, "true");
+ createSuccessfulLoginContent(s, ec);
+ }
+ else if (sid.equals(s.get("SID")) && s.get(LOGGEDIN).equals("true"))
+ {
+ createSuccessfulLoginContent(s, ec);
+ }
+ else
+ {
+ createLogInContent(ec, "");
+ }
+ } catch (Exception e)
+ {
+ createLogInContent(ec, "");
+ }
- // /**
- // * Create content after a successful login
- // * @param s
- // * @param ec
- // */
- // private void createSuccessfulLoginContent(WebSession s,
- // ElementContainer ec) {
- //
- // String userDataStyle = "margin-top:50px;";
- //
- // Div userDataDiv = new Div();
- // userDataDiv.setStyle(userDataStyle);
- // userDataDiv.addAttribute("align", "center");
- // Table table = new Table();
- // table.addAttribute("cellspacing", 10);
- // table.addAttribute("cellpadding", 5);
- //
- // table.addAttribute("align", "center");
- // TR tr1 =new TR();
- // TR tr2 = new TR();
- // TR tr3 = new TR();
- // TR tr4 = new TR();
- // tr1.addElement(new TD("<b>Firstname:</b>"));
- // tr1.addElement(new TD(LoggedInUser));
- //
- // try
- // {
- // ResultSet results = getUser(LoggedInUser, s);
- // results.first();
- //
- // tr2.addElement(new TD("<b>Lastname:</b>"));
- // tr2.addElement(new TD(results.getString("last_name")));
- //
- // tr3.addElement(new TD("<b>Credit Card Type:</b>"));
- // tr3.addElement(new TD(results.getString("cc_type")));
- //
- // tr4.addElement(new TD("<b>Credit Card Number:</b>"));
- // tr4.addElement(new TD(results.getString("cc_number")));
- //
- //
- // }
- //
- // catch (Exception e)
- // {
- // e.printStackTrace();
- // }
- // table.addElement(tr1);
- // table.addElement(tr2);
- // table.addElement(tr3);
- // table.addElement(tr4);
- //
- // userDataDiv.addElement(table);
- // ec.addElement(userDataDiv);
- // ec.addElement(createLogoutLink());
- // }
+ return ec;
+ }
- // /**
- // * Create a link for logging out
- // * @return Element
- // */
- // private Element createLogoutLink()
- // {
- // A logoutLink = new A();
- // logoutLink.addAttribute("href", getLink() + "&logout=true");
- // logoutLink.addElement("Logout");
- //
- // String logoutStyle = "margin-right:50px; mrgin-top:30px";
- // Div logoutDiv = new Div();
- // logoutDiv.addAttribute("align", "right");
- // logoutDiv.addElement(logoutLink);
- // logoutDiv.setStyle(logoutStyle);
- //
- // return logoutDiv;
- // }
+ /**
+ * See if the user has logged in correctly
+ *
+ * @param s
+ * @return true if loggedIn
+ */
+ private boolean loggedIn(WebSession s)
+ {
+ try
+ {
+ return s.get(LOGGEDIN).equals("true");
+ } catch (Exception e)
+ {
+ return false;
+ }
+ }
- // /**
- // * Get a user by its name
- // * @param user
- // * @param s
- // * @return ResultSet containing the user
- // */
- // private ResultSet getUser(String user, WebSession s)
- // {
- // try {
- // Connection connection = DatabaseUtilities.getConnection(s);
- // String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
- // PreparedStatement prepStatement =connection.prepareStatement(query,
- // ResultSet.TYPE_SCROLL_INSENSITIVE,
- // ResultSet.CONCUR_READ_ONLY);
- // prepStatement.setString(1, user);
- //
- //
- // ResultSet results = prepStatement.executeQuery();
- //
- // return results;
- //
- // } catch (Exception e) {
- // e.printStackTrace();
- // }
- // return null;
- //
- // }
+ /**
+ * See if the password and corresponding user is valid
+ *
+ * @param userName
+ * @param password
+ * @param s
+ * @return true if the password was correct
+ */
+ private boolean correctLogin(String userName, String password, WebSession s)
+ {
+ try
+ {
+ Connection connection = DatabaseUtilities.getConnection(s);
+ String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
+ PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ prepStatement.setString(1, userName);
+ prepStatement.setString(2, password);
- // /**
- // * See if the password and corresponding user is valid
- // * @param userName
- // * @param password
- // * @param s
- // * @return true if the password was correct
- // */
- // private boolean correctLogin(String userName, String password, WebSession s)
- // {
- // try {
- // Connection connection = DatabaseUtilities.getConnection(s);
- // String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
- // PreparedStatement prepStatement =connection.prepareStatement(query,
- // ResultSet.TYPE_SCROLL_INSENSITIVE,
- // ResultSet.CONCUR_READ_ONLY);
- // prepStatement.setString(1, userName);
- // prepStatement.setString(2, password);
- //
- // ResultSet results = prepStatement.executeQuery();
- //
- // if ((results != null) && (results.first() == true))
- // {
- //
- // return true;
- //
- // }
- //
- // } catch (Exception e) {
- // e.printStackTrace();
- // }
- //
- // return false;
- //
- // }
+ ResultSet results = prepStatement.executeQuery();
+
+ if ((results != null) && (results.first() == true)) {
+
+ return true;
+
+ }
+
+ } catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+
+ return false;
+
+ }
+
+ /**
+ * Create content for logging in
+ *
+ * @param ec
+ */
+ private void createLogInContent(ElementContainer ec, String errorMessage)
+ {
+ Div loginDiv = new Div();
+ loginDiv.setID("lesson_login");
+
+ Table table = new Table();
+ // table.setStyle(tableStyle);
+ table.addAttribute("align='center'", 0);
+ TR tr1 = new TR();
+ TD td1 = new TD();
+ TD td2 = new TD();
+ td1.addElement(new StringElement("Enter your name: "));
+ td2.addElement(new Input(Input.TEXT, USER));
+ tr1.addElement(td1);
+ tr1.addElement(td2);
+
+ TR tr2 = new TR();
+ TD td3 = new TD();
+ TD td4 = new TD();
+ td3.addElement(new StringElement("Enter your password: "));
+ td4.addElement(new Input(Input.PASSWORD, PASSWORD));
+ tr2.addElement(td3);
+ tr2.addElement(td4);
+
+ TR tr3 = new TR();
+ TD td5 = new TD();
+ td5.setColSpan(2);
+ td5.setAlign("center");
+
+ td5.addElement(new Input(Input.SUBMIT, "Submit", "Login"));
+ tr3.addElement(td5);
+
+ table.addElement(tr1);
+ table.addElement(tr2);
+ table.addElement(tr3);
+ loginDiv.addElement(table);
+ ec.addElement(loginDiv);
+
+ H2 errorTag = new H2(errorMessage);
+ errorTag.addAttribute("align", "center");
+ errorTag.addAttribute("class", "info");
+ ec.addElement(errorTag);
+
+ }
+
+ /**
+ * Create content after a successful login
+ *
+ * @param s
+ * @param ec
+ */
+ private void createSuccessfulLoginContent(WebSession s, ElementContainer ec)
+ {
+
+ String userDataStyle = "margin-top:50px;";
+
+ Div userDataDiv = new Div();
+ userDataDiv.setStyle(userDataStyle);
+ userDataDiv.addAttribute("align", "center");
+ Table table = new Table();
+ table.addAttribute("cellspacing", 10);
+ table.addAttribute("cellpadding", 5);
+
+ table.addAttribute("align", "center");
+ TR tr1 = new TR();
+ TR tr2 = new TR();
+ TR tr3 = new TR();
+ TR tr4 = new TR();
+ tr1.addElement(new TD("<b>Firstname:</b>"));
+ tr1.addElement(new TD(getLoggedInUser(s)));
+
+ try
+ {
+ ResultSet results = getUser(getLoggedInUser(s), s);
+ results.first();
+
+ tr2.addElement(new TD("<b>Lastname:</b>"));
+ tr2.addElement(new TD(results.getString("last_name")));
+
+ tr3.addElement(new TD("<b>Credit Card Type:</b>"));
+ tr3.addElement(new TD(results.getString("cc_type")));
+
+ tr4.addElement(new TD("<b>Credit Card Number:</b>"));
+ tr4.addElement(new TD(results.getString("cc_number")));
+
+ }
+
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+ table.addElement(tr1);
+ table.addElement(tr2);
+ table.addElement(tr3);
+ table.addElement(tr4);
+
+ userDataDiv.addElement(table);
+ ec.addElement(userDataDiv);
+ ec.addElement(createLogoutLink());
+
+ }
+
+ /**
+ * Create a link for logging out
+ *
+ * @return Element
+ */
+ private Element createLogoutLink()
+ {
+ A logoutLink = new A();
+ logoutLink.addAttribute("href", getLink() + "&logout=true");
+ logoutLink.addElement("Logout");
+
+ String logoutStyle = "margin-right:50px; mrgin-top:30px";
+ Div logoutDiv = new Div();
+ logoutDiv.addAttribute("align", "right");
+ logoutDiv.addElement(logoutLink);
+ logoutDiv.setStyle(logoutStyle);
+
+ return logoutDiv;
+ }
+
+ /**
+ * Get a user by its name
+ *
+ * @param user
+ * @param s
+ * @return ResultSet containing the user
+ */
+ private ResultSet getUser(String user, WebSession s)
+ {
+ try
+ {
+ Connection connection = DatabaseUtilities.getConnection(s);
+ String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
+ PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+ ResultSet.CONCUR_READ_ONLY);
+ prepStatement.setString(1, user);
+
+ ResultSet results = prepStatement.executeQuery();
+
+ return results;
+
+ } catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+ return null;
+
+ }
+
+ /**
+ * Get the logged in user
+ *
+ * @param s
+ * @return the logged in user
+ */
+ private String getLoggedInUser(WebSession s)
+ {
+ try
+ {
+ String user = (String) s.get(LOGGEDINUSER);
+ return user;
+ } catch (Exception e)
+ {
+ return "";
+ }
+ }
/**
* Get the category
@@ -421,9 +655,13 @@ public class SessionFixation extends SequentialLessonAdapter
{
List<String> hints = new ArrayList<String>();
- hints.add("Stage 1: Just do a regular login");
- hints.add("Stage 2: How does the server know which TAN has to be used");
- hints.add("Stage 2: Maybe taking a look at the source code helps");
+ hints.add("Stage 1: Where is the link in the mail?");
+ hints.add("Stage 1: Add a SID to the link");
+ hints.add("Stage 1: A SID could looke something like this: SID=Whatever");
+ hints.add("Stage 1: Alter the link in the mail to: href=" + getLink() + "&SID=Whatever");
+ hints.add("Stage 2: Click on the link!");
+ hints.add("Stage 3: Log in as Jane with user name jane and password tarzan.");
+
hints.add("Stage 2: Watch out for hidden fields");
hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'");
@@ -436,7 +674,32 @@ public class SessionFixation extends SequentialLessonAdapter
*/
public String getInstructions(WebSession s)
{
- String instructions = "Stub";
+ int stage = getLessonTracker(s).getStage();
+ String instructions = "STAGE " +stage+": ";
+ if(stage == 1)
+ {
+ instructions += "You are Hacker Joe and " +
+ "you want to steal the session from Jane. " +
+ "That is why you have to send a phishing mail " +
+ "to her. The mail is already prepared. Only " +
+ "thing missing is a Session ID (SID) in the Link. Alter " +
+ "the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
+ }
+ else if (stage == 2)
+ {
+ instructions += "Now you are the victim Jane who received the mail you see. " +
+ "If you point on the link with your mouse you will see that there is a SID included." +
+ "Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
+ }
+ else if (stage == 3)
+ {
+ instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " +
+ "correct ;). Your user name is Jane and your password is tarzan. <br><br><b>You are: Victim Jane</b> ";
+ }
+ else if (stage == 4)
+ {
+ instructions += "It is time to steal the session. <br><br><b>You are: Hacker Joe</b> ";
+ }
return (instructions);
}
@@ -458,5 +721,39 @@ public class SessionFixation extends SequentialLessonAdapter
{
return ("Session Fixation");
}
+
+ @Override
+ public void handleRequest(WebSession s)
+ {
+ Form form = new Form();
+ form.addElement(createContent(s));
+ form.setAction(getFormAction());
+ form.setMethod(Form.POST);
+ form.setName("form");
+ form.setEncType("");
+ setContent(form);
+ }
+
+ @Override
+ public String getLink()
+ {
+
+ if(sid.equals(""))
+ {
+ return super.getLink();
+ }
+ return super.getLink() + "&SID=" + sid;
+ }
+
+
+ private String randomSIDGenerator()
+ {
+ String sid = "";
+
+ sid = String.valueOf(Math.abs(random.nextInt()%100000));
+ return sid;
+ }
+
+
}